SecuritySnacks

Redirects to a cloned page with malicious download

We detected a suspicious LastPass-related domain at lastpass[.]shop which resolves to an unrelated, innocuous food wholesaler site, but contains complex redirects to a LastPass clone page offering a probable malicious download at lastpass[.]shop/en/

The suspicious lastpass[.]shop is registered with namecheap and protected by Cloudflare, compared to the legitimate lastpass[.]com site registered with Name and hosted on Akamai.

Additionally, the download offered at lastpass[.]shop is a zip containing multiple files 10x the size of the official LastPass exe download.

Newly created domains targeting student loans

With the prevalence of student loans in the news, one thing is for certain: opportunists will build scams to capitalize on the attention. Read more of what Tim Helming had to say about threat actors and forgiveness programs in SCMagazine: https://www.scmagazine.com/analysis/fraudsters-aim-to-capitalize-on-student-loan-forgiveness-confusion

Here are the newly created domains we've seen over the past few days:
getstudentloanrelief[.]net
getstudentloanreliefnow[.]com
getstudentloanreliefnow[.]org
getstudentloanrelief{.]org
studentloanrepay[.]org
citizesstudentloans[.]com
citiznsstudentloans[.]com
getstudentloan[.]top

didstudent[.]loan
astudentloan[.]net
studentloanforgivenesspro[.]site
relief4studentloans[.]com
infostudentloan[.]com
studentloansavvy[.]com

myfederalstudentloanchangednamesdoistillbebifitforthestudent[.]loan
studentloan-forgivenesseligibility[.]site
studentloanlawyers[.]org
getstudentloanreliefnow[.]net
studentloanforgivenessform[.]com

Phishing Attacks for Microsoft Credentials and MFA codes

Her Majesty, Queen Elizabeth II has passed away at age 96. As with other major world events, we unfortunately expect to see questionable related domain registrations. Please be mindful when visiting news or commemoration sites relating to this.

We anticipated questionable domain registrations in relation to this event and ThreatInsight now has corroborating reports that threat actors are using phishing attacks to steal Microsoft account credentials and MFA codes: https://x.com/threatinsight/status/1570092339984584705

Instagram Campaign

The allure of the blue badge can be too much! A new Instagram phishing campaign using the domain teamcorrectionbadges[.]com shares host infrastructure with several other questionable domains:

• Teambluebadge[.]com
• Badgescorrectioncase[.]com
• Adminbadgessystem[.]shop

While many of these domains are already on blocklists, not all are, suggesting the bad actors might still be performing this attack. Via a predictive Domain Risk Score for these domains ranges from 88 to 99. We cannot confirm all these domains are attributable to the same actor, however.

Additional questionable domains to monitor:
truebadgeteamscase[.]com
objectionsfromcloud[.]com
casebadgeclods[.]com
badgeteamclouds[.]shop
badgecaseteam[.]com
teamcloudsbadges[.]com
teamscorrectbadge[.]com
teamcorrectionbadges[.]com

correctlybadgesteam[.]com
badgecaseteam[.]shop

Watch for this IP

We’re seeing a cluster of domains (mostly associated with phishing) targeting the retail sector. Keep an eye on any traffic traversing to/from this IP.

A small list of domains we are seeing registered

We're seeing what could be a precursor to a phishing attack on T-Mobile's Okta instance. The domains we're seeing are registered through CSC Global and Namecheap, hosted on Linode and DigitalOcean We'll keep you posted on updates, in the meantime, here are the domains:
okta-tmobiie[.]net
t-mobile-okta[.]us
okta-oath[.]com
t-mobile-okta[.]com
okta-tmobile[.]org
okta-tmo[.]org"

A free threat intelligence feed of newly observed or registered Ukraine-related domain names

If you haven’t yet seen it, the FBI issued a PSA regarding scams relating to donations (both monetary and cryptocurrency) to the crisis in Ukraine. Read the full announcement here: https://www.ic3.gov/Media/Y2022/PSA220531

As a reminder, the free threat intelligence feed of newly observed or registered Ukraine-related domain names is still available to help organizations monitor threats. Learn more and download here: https://ukraine-domains.domaintools.com/

Typo squatted domains around Shawn Johnson’s formula exchange

The nationwide formula shortage is nothing short of devastating but proceed with caution when searching for supply. We’re seeing many new domains registered in the last week around the term ‘babyformula’.

New typo squatting domains are attempting to steer traffic away from Shawn Johnson’s babyformulaexchange[.]com. Note in our screenshot the slight changes in spelling meant to confuse users:

A list of newly observed or registered domains

DomainTools is offering a new, free threat intelligence feed of newly observed or registered Ukraine-related domain names to help organizations monitor threats. Learn more and download here: https://ukraine-domains.domaintools.com/

A list of risky domains

Ukraine activity update for Feb 28: Ukraine-related activity has grown past calling out single domains. A list of high-risk domains from over the weekend is located at https://github.com/DomainTools/SecuritySnacks/blob/main/2022/Feb%2026-27%20risky%20domains.txt

Confirmed with Global Giving

As noted, we continue to see Ukraine-based fraud/scam domains appear on the Internet. In particular, we have confirmed with
@GlobalGiving that the domain globalgiving-ukraine[.]com, which was registered today, is a forgery.

Donation Sites

Please be mindful before donating to any domains claiming to help Ukraine. We are seeing many Ukraine-related sites created today, several taking donations for unspecified beneficiaries. See examples in thread below:

helpingukraine[.]org (created at 3:23PM Eastern, nothing on the site yet)
support-ukraine[.]eu - taking donations
donatetoukraine[.]org - set up to take donations, but site's broken
help-for-ukraine[.]eu - taking donations

supportukraine[.]net - taking donations
supportukraine[.]io - not taking donations yet
help-ukraine[.]org - not taking donations yet